ACCORDING to The Financial Times Ltd, bug bounty programmes are being overwhelmed by AI-generated, low-quality reports as researchers flood schemes with spurious submissions. Bugcrowd, whose customers include OpenAI, T-Mobile and Motorola, said reports more than quadrupled over a three-week period in March, most of them false, while Curl suspended its paid program in January citing an explosion in AI slop reports.
Cybersecurity experts note that advances in generative AI are reshaping the economics of bug bounty schemes, lowering barriers to entry and triggering a flood of automated or erroneous submissions that firms must sift through. The surge has been described as quickly becoming a major problem by Sophos’s chief information security officer, Ross McKerchar, who said bug bounties will stay but must change.
Nextcloud also suspended its programme in April due to the massive increase in low-quality reports, with hopes to resume once submissions can be filtered more effectively. Companies are responding with stricter background checks and AI triage tools, and HackerOne reported a 76 per cent rise in submissions to March, while its share of legitimate vulnerabilities remained around 25 per cent, a nuance noted by its chief executive Kara Sprague.